OAuth Implementer
VerifiedImplements OAuth 2.0 and OIDC flows (authorization code, PKCE, client credentials) with provider-specific configurations for Google, GitHub, and more.
Install
Claude Code
Copy the SKILL.md file to your project's .claude/skills/ directory About This Skill
OAuth Implementer generates correct, secure OAuth 2.0 and OpenID Connect implementations. OAuth is notoriously easy to implement insecurely — this skill enforces the security requirements that the spec mandates but developers often overlook.
Flows Supported
Authorization Code + PKCE (Recommended for Web and Mobile) 1. Generate `code_verifier` (cryptographically random, 43-128 chars) 2. Compute `code_challenge = BASE64URL(SHA256(code_verifier))` 3. Authorization request with `code_challenge` and `code_challenge_method=S256` 4. Token exchange with `code_verifier` for validation 5. Server-side `state` parameter validation (CSRF protection)
Client Credentials (Machine-to-Machine) Backend services authenticating to APIs without user involvement. Includes token caching to avoid re-fetching valid tokens.
Device Authorization Grant For CLI tools and TV apps without browser access.
Provider Configurations
- Pre-configured for:
- Google — `accounts.google.com` endpoints, `openid email profile` scopes, JWKS verification
- GitHub — OAuth App vs GitHub App distinction, user email API call required
- Microsoft Azure AD — tenant-specific endpoints, Graph API integration
- Auth0 — custom domain, audience parameter
- Generic OIDC — discovery document parsing (`/.well-known/openid-configuration`)
Security Checks Enforced
- `state` parameter generated and validated on every authorization request
- Token stored in HttpOnly, Secure, SameSite=Strict cookie (not localStorage)
- Token expiry checked before every API call
- `id_token` signature verified using provider's JWKS endpoint
- Redirect URI exact match (no wildcard, no substring match)
Framework Integrations
- Next.js with NextAuth.js / Auth.js
- Express.js with passport-oauth2
- FastAPI with Authlib
- Go with golang.org/x/oauth2
Use Cases
- Adding Google and GitHub social login to web applications
- Implementing OAuth 2.0 with PKCE for single-page and mobile applications
- Building machine-to-machine API authentication with client credentials flow
- Setting up multi-provider OAuth with a unified user identity model
Pros & Cons
Pros
- + PKCE implementation correct for public clients — not just appended as afterthought
- + State parameter CSRF protection enforced on every flow
- + Token storage in HttpOnly cookies — prevents XSS token theft
- + Pre-configured for 5 major OAuth providers
Cons
- - Generated code must be reviewed by a security-aware developer for production use
- - Provider-specific quirks (GitHub requiring a separate email API call) must be validated against current provider documentation
Related AI Tools
Claude Code
Paid
Anthropic's agentic CLI for autonomous terminal-native coding workflows
- Terminal-native autonomous coding agent
- Full file system and shell access for multi-step tasks
- Deep codebase understanding via repository indexing
Cursor
Freemium
AI-native code editor with deep multi-model integration and agentic coding
- AI-native Cmd+K inline editing and generation
- Composer Agent for autonomous multi-file changes
- Full codebase indexing and context awareness
GitHub Copilot
Freemium
AI pair programmer that suggests code in real time across your IDE
- Real-time code completions across 30+ languages
- Copilot Chat for natural language code Q&A
- Pull request description and summary generation
Related Skills
JWT Validator
VerifiedImplements secure JWT creation, validation, and rotation with proper algorithm selection, claim validation, and key management.
Auth Middleware Builder
VerifiedGenerates authentication and authorization middleware for Node.js, Python, and Go APIs with JWT, API keys, and RBAC.
Stay Updated on Agent Skills
Get weekly curated skills + safety alerts
每周精选 Skills + 安全预警